Spycatcher and Reds under the Bed

It is hard to explain to my junior colleagues how seriously we considered the threat to Western Europe from Warsaw Pact invasion in the 1980s. When I was commissioned in the RAF in 1984, its manpower strength was over 93,000 – its strength is currently planned to fall by 2015 to 31,000. A significant proportion of the RAF was located in Germany (as was the British Army), which, together with all air defence stations in the UK, maintained a high degree of readiness. Those of us serving during that period were well used to “no-notice call outs” and alerts, which somehow always seemed to be between 4 – 6 am.

It was in this Cold War environment that spies and spying thrived. This was an age of active mole hunts and speculation over the identities and range of the Cambridge spy ring – “reds under the bed” being the ultimate McCarthyist fear. So any threat to national security that a former spy’s autobiography could present was a critical matter. This was exactly the problem of Peter Wright, a former member of MI5 and Assistant Director who had retired to Tasmania, whose autobiography “Spycatcher: The Candid Autobiography of a Senior Intelligence Officer” (Spycatcher) was to be published first in Australia. It was also published in the United States of America. Disclosure of state secrets by Wright was, not surprisingly, in breach of the Official Secrets Act 1911.

The Government first attempted to bring an action in Australia to restrain publication of Spycatcher, but this ultimately failed (the book was eventually published in Australia in October 1987). Articles on the Australian legal proceedings were published in The Observer and The Guardian. These newspapers were then subject to an interlocutory injunction in June 1986 to restrain them from publishing information obtained by Wright. The Sunday Times also began to serialise Spycatcher, before and in anticipation of its publication in the US in July 1987. The Attorney General obtained further injunctions. These injunctions were discharged on application by the newspapers – the Court of Appeal dismissed that Attorney General’s appeals, so the joined cases reached the House of Lords (Attorney General v Observer Ltd [1990] 1 AC 109). The issue for the House of Lords was the question of publication in breach of a duty of confidence – was the duty of confidence outweighed by a countervailing public interest?

This is where the Spycatcher case has immediate relevance. Whilst The Sunday Times was ordered to account for profits it made as a result of its first serialisation of an extract from the book, which was in breach of a duty of confidence. it was recognised by their Lordships that once the book was published in the US and its contents became widely known, so that the information in the book was no longer confidential, injunctions no longer became necessary.

It should also be remembered that although the Attorney General sought injunctions in England (& Wales), the Lord Advocate failed to seek an interdict in Scotland, so that distribution of Spycatcher and reporting on it was at all times legal in Scotland.  Even if an interdict had been obtained, there is a more recent Scots Law case that follows the Spycatcher precedent (Lord Advocate v Scotsman Publications [1989] UKHL 7).

Does this sound familiar, given CTB v News Group Newspapers Limited and Imogen Thomas?  Will the courts continue to support injunctions against The Sun and Imogen Thomas when as a result of publication abroad, on Twitter or elsewhere, the private information being protected from publication is in the public domain (assuming that there has been no breach of the original anonymised injunction by The Sun or Imogen Thomas)?

CTB -v- Twitter, Inc. and Persons Unknown (Case No. HQ11XO1814)

Royal Courts of Justice (ValP) / CC BY-SA 2.0

If you do not know what the outside of the Royal Courts of Justice on the Strand in London looks like, the picture above may help.  However, we expect that if you watch any UK television news, you will also see plenty of TV reporters do pieces to camera from outside the court.  This will particularly be the case around the date of this post because the case of CTB v. Twitter Inc. and Persons Unknown (Case No. HQ11X01814) is inevitably going to receive plenty of attention.  It has all the topical ingredients that media reporters could wish for: the case has been brought by a Premier League professional footballer (at present known merely as CTB); it references super-injunctions and involves the Llanelli glamour model, Imogen Thomas (plenty of scope for gratuitous library video footage).

However, whilst not denying these interesting elements, what we are interested in is the attempt to bring an action in the High Court in England (& Wales) against “Twitter, Inc. and Persons Unknown”.  Some of the background to the case is described in our previous post: Footballer CTB is suing Twitter.

It appears that as the claim form has yet to be served, its details have not yet been made public.

There are a number of questions that arise from the case.  How can CTB bring a claim against “Persons Unknown”.  Given that these are likely to be anonymous Twitterers, CTB cannot serve upon them any statement of claim or injunction.  In circumstances such as these, CTB could seek to obtain a Norwich Pharmacal Order in respect of each of the unknown persons.  A Norwich Pharmacal Order requires a third party to disclose the information that would enable unknown persons to be identified for the purposes of civil proveedings.  However, this is not appropriate in these circumstances as the person with the relevant identity information, Twitter, is outside of the jurisdiction.

Fortunately for CTB, there is a procedure to enable him to seek the Court’s permission to serve the claim form and orders out of the jurisdiction (Section IV of Part 6 of the Civil Procedure Rules).  The method for service is likely to be one of the methods permitted by the Hague Convention of 1965 on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, to which the UK and the United States of America are members.  It remains to be seen that even if these steps are taken, and Twitter is successfully serviced with the statement of claim or any Norwich Pharmacal Orders, whether Twitter would take any notice of them and submit to the jurisdiction of the High Court.

The next question concerns the nature of the statement of claim.  We speculate that it must be an application to commit to prison the persons, including Twitter, for aiding and abetting the breach of the original injunction against The Sun (NGN Limited) and Imogen Thomas (and thus being themselves in contempt of court).  Rather than prison, the disobedient parties can be subject to an unlimited fine and the court can order any act to be done at their expense. Until the claim form is in the public domain, we cannot be sure.  We are not aware at this point of any ISPs or social media platforms being the subject of this type of application, so we cannot say whether the High Court would be persuaded by the so-called “mere conduit” defence that Twitter could raise.  Strictly, this defence arises under the Electronic Commerce (EC Directive) Regulations 2002 (Regulation 17), enabling service providers of an information society service to evade liability for the content of information passing through their networks over which they have no control. Whilst the terms of the regulation give service providers a defence so that they “shall not be liable for damages or for any other pecuniary remedy or for any criminal sanction”, we believe this has not been raised as a defence in contempt of court proceedings.

Revised cookies’ law and lack of guidance takes the biscuit

Les Cookies © Jonathan Kowalski

I was asked a couple of days ago to prepare an email alert for clients on a commercial law update circulation list to describe compliance steps required for the new cookies law. This turns out to be virtually impossible. Much as it pained me, the advice really comes down to the cliché lawyers’ answer of, “It depends”.

Together with my colleague Mark Alsop, we finally went with this:

When we issue email alerts on an imminent change in law that is likely to have a wide impact on normal business activities, we seek to give clear guidance on what steps must be taken for compliance with the new law.

Regrettably, this is rather difficult to do for the new law on the use of cookies, which comes into effect on 26 May 2011.

A cookie is a small file of letters and numbers placed by a website onto a user’s computer when he or she accesses the website.  They allow a website to recognise a user’s computer and to adjust the user’s experience of the website accordingly – cookies can be used for authentication, storing preferences, managing shopping baskets, tracking web-browsing and many other things.  A website may place several cookies onto a user’s computer.

The current law requires users to be given information about the use of cookies, which information must include details on how the user can opt out of cookies’ use – this is contained in the Privacy and Electronic Communications (EC Directive) Regulations 2003.  As their name implies, the Regulations implement a European Union Directive (Directive 2002/58/EC).  Compliance has usually involved no more than including a statement in website terms and conditions or privacy policy on the use of cookies.  The law applies not just to cookies, but also to alternatives that perform similar functions, such as tracking by IP address, hidden form fields and flash cookies – all covered by the word “cookies” for the purposes of this note.

This Directive has been amended so that, as well as giving users information on exercising an opt out, usually by changing their browser settings to reject any cookies, no cookies can now be used lawfully unless the user has given his or her consent to their use.

The change is practically difficult to implement without spoiling the user’s browsing experience.  It had been thought (hoped) that having browser settings which permit cookies would amount to consent, but this has been rejected as a means of obtaining consent.

The UK Government did consult on appropriate amendments to the UK Regulations to make them easier to comply with, but that came to nothing when the Ministry of Justice announced that in future all Regulations implementing EU legislation will simply faithfully reproduce the revised EU Directive wording.

The Information Commissioner’s Office (ICO) has recently published guidance on the new cookie law (click here), but this does not give any definitive, practical assistance in compliance.  Instead, it recognises that the new law is difficult to implement.  It merely advises that companies review their use of cookies and consider how they may be able to obtain the consent called for by the new regulation.

We can therefore only repeat the ICO advice.  Audit your use of cookies and consider how intrusive your use of the cookies is.  Then see how best you can get (and record) users’ consent.  The guide suggests methods involving features such as pop ups, terms and conditions and settings, i.e. instances asking users for consent at the same time as they anyway have to make choices in relation to the website.   These methods will of course not always be available.  The guidance does acknowledge that it will be particularly challenging to obtain consent in relation to “third party cookies” (which allow third parties to set cookies on a user’s computer).

There are reports that the Government is working with browser suppliers to bring in browsers that can give compliant consent.  This will be a big step forward, but as the guidance points out, there will remain the problem of users who do not upgrade to such browsers.

Two final observations.  First, the ICO expects websites to deal with the more intrusive cookies first.  Second, in terms of enforcement, the guidance acknowledges that there is no prospect of full compliance by 26th May, i.e. less than 3 weeks after the guidance was issued.  Instead, the ICO indicates that, for the time being, it is concerned to ensure that website owners have a realistic plan to achieve compliance.

The ICO states that further guidance will be issued “if appropriate, in future”.

Is 17p per unsecure online file a fair monetary penalty?

Scales of Justice © Alex Proimos

On 10 May 2011 the Information Commissioner imposed a £1,000 monetary penalty on Andrew Crossley, trading as ACS Law, for a serious breach of security that permitted over 6,000 individuals’ details to be accessible on an unsecured website. Already, there is much discussion on the internet as to the fairness of this penalty. Has justice been done?

Internet comment is not likely to be objective in the case of ACS Law, given that it was the law firm targeted by hackers for a distributed denial of service attack as retribution for its perceived aggressive approach to internet users claimed to be illegal copyright infringers (see the Wikipedia entry for ACS:Law). Andrew Crossley was reported to have made a profitable business pursuing copyright infringement cases – claiming he would be buying a Ferrari F430 Spider for cash.  The monetary penalty of £1,000 amounts to less than 17p for each individual’s details that ACS Law left unsecured on its website as part of its recovery from the DDOS.

However, the Information Commissioner has made it clear that had ACS Law still been trading, he would have imposed a monetary penalty of £200,000 (the maximum that could have been imposed was £500,000). Clearly the Information Commissioner was satisfied by the written representation sworn on oath by Andrew Crossley to reduce the fine to the token £1,000 – much to the chagrin of many on the internet less willing to accept Crossley’s pleas of reduced financial circumstances.

Other data controllers ought to reflect on the factors considered by the Information Commissioner in making the monetary penalty. In particular, the lack of investment in appropriate security measures was a major factor, as was the lack of appropriate IT trained personal in the organisation. In addition, whilst spending serious money to remedy the security breach (in ACS Law’s example, spending £20,000 to fix the problem) was considered as a mitigating factor, it was obviously not that significant given the level of the final penalty.

Lawyers and law firms also ought to take particular note that as far as the Information Commissioner is concerned, they cannot expect any leniency for any breach by them of the Data Protection Act 1998 – “Data controller is a lawyer and should have been fully aware of his obligations under the Act.”

School or Home Tuition Sales Agency?

Education Guardian

An article in yesterday’s EducationGuardian caught my eye, and not because of the parental anger at schools pressure selling private tuition. What concerns me is the blatant direct marketing of a third party’s services by a school.

The story, if you did not click on the link, concerned parents’ anger at receiving letters signed by school headteachers on school headed notepaper marketing a DVD home tuition scheme of the Student Support Centre, a trading name of The Student Support Centre (UK) Limited (who, incidentally, fail to give their company name anywhere on their website, as far as I can see).  EducationGuardian discovered that the Student Support Centre pays schools an administrative fee for this marketing, but the article is unclear about what this fee is.  Anthony Lee, founder and chairman of the Student Support Centre, is quoted as saying he makes a “small token payment of up to £160”.

From a data protection point of view, the most obvious question is, do the schools that cooperate with the Student Support Centre or other home tuition companies include direct marketing as a purpose in their data protection notices?  Personal data, which in these circumstances must include the parents’ names and addresses for school pupils, must be processed in a fair and lawful manner.  To be fair and lawful, the person who “owns” the personal data must give their details and the  purposes for which the data will be processed (see paragraph 1 of Part I – the First Data Protection Principle – and paragraph 1 of Part II of the Data Protection Act 1998, Schedule 1).  Also, personal data cannot be processed in any manner incompatible with any stated (and notified) purpose or purposes (paragraph 2 of Part I, the Second Data Protection Principle).

There is no data protection fair processing notice or privacy policy for the primary school discussed in the story, Towerbank primary, or Edinburgh City Council, available on their websites, so I cannot comment on the school in question.  However, I would not expect direct marketing to be a usual purpose notified to parents.  As an example of a model schools’ data protection fair processing notice, I am pleased to see that my local council, Hampshire County Council, has an excellent precedent (see here).

Schools may wish to consider whether receipt of a small token payment is enough of an incentive to breach the Data Protection Act 1998, for which monetary penalties of up to £500,000 can be imposed by the Information Commissioner for serious breaches.